06032beb930bc8737073f3f719fd79f1.ppt

- Количество слайдов: 146

Cryptographic Message Authentication Entity Authentication Passwords, Challenge-Response +Time Stamping Nicolas T. Courtois - University College London

Reading Two Main Areas in Authentication 1. Cryptographic Message Authentication – MACs / Digital signatures + complex protocols 2. Entity Authentication, – Passwords, • – Challenge-Response: • 2 static = bad dynamic: the right answer to all questions at the exam Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Vocabulary Basic concepts. 1. Identification: declare who you are. 2. [Entity] Authentication: prove it. But a Secure Identification Scheme = 1+2 = Entity Authentication Scheme can be considered as synonyms. 3 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Crypto Revision in Comp. Sec crypto=black boxes 4 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Goals of Cryptography 1. Confidentiality: privacy, anonymity or pseudonymity. 2. Authenticity, Integrity, Non-repudiation… 3. Fair play and resistance to malicious behaviours in multiparty protocols… 4. Meta: Trust (or Accountability), Openness, Governance, Compliance, Auditing, Alerting, Risk Assessment. . . 5 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 ***The Security ? 3 -point Formal Approach What is Security ? Inability to achieve: 1. Security against what: Adversarial Goal. 2. Against whom: resources of the Adversary: money, human resources, computing power, memory, risk, expertise, etc. . 3. Access to the system. 6 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 ****The Security ? 3 -point Formal Approach Security Notion / Definition = a triple: 1. Adversarial Goal. 2. Resources of the Adversary. 3. Access / Attack. One can ONLY talk about security w. r. t. a given triple. May not hold for other triple. 7 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Authenticity -Vocabulary Two Main Areas: 1. Message Authentication. 2. Entity Authentication / Identification Closely related… 8 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Entity Authentication / Identification 3 FACTORS: A person/device can be authenticated by 1. Something that he/it knows. • PIN, password, knowledge of an AES key, private RSA key etc. . 2. Something that he/it has. • Smart card, USB key, TPM module, and other tamper-resistant hardware… 3. Something that he/it is. • 9 Biometrics, unique physical characteristics (cf. snow flake). Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Multi-factor authentication: To enter the office, one needs: 1. A PIN. 2. A smart card. We speak about 2 -factor system. High security systems (e. g. bank vault, military lab, etc. ) requires to systematically and simultaneously use 3 factors => Good security. 10 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Message Authenticity – Goals Different security levels: 1. Correct transmission – no (random) transmission error. A malicious attacker can always modify it. • 2. Integrity – no modification possible if the “tag/digest” is authentic. If we cannot guarantee the authenticity of the tag, a malicious attacker can still modify and re-compute the hash. • 3. Achieved with cryptographic hash functions (= MDC). (e. g. SHA-1). Authenticity – specific source. Authentified with some secret information (key). • 4 a. Achieved with a MAC (= a hash function with a key = a secret-key signature). Non-repudiation – very strong requirement. Only one person/entity/device can produce this document. • 4 b. Achieved with Digital Signatures. The strongest method of message authentication. Public verify-ability. Everybody can be convinced of the authenticity (trust the bank ? ). • 11 Achieved with CRC and/or error correction/detection codes. Achieved with Digital Signatures. The strongest method of message authentication. Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Signatures Can be: Public key: • Real full-fledged digital signatures. Secret key: • Not « real signatures » but MACs. • Widely used in practice, in some cases OK… 12 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 MACs = “Secret-Key Signatures” m MAC algorithm yes/no (m, ) MAC algorithm forgery sk (secret key) 13 sk (secret key) Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Digital Signatures m signing algorithm yes/no (m, ) verification algorithm forgery sk (private key) 14 pk (public key) Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Digital Signatures with Message Recovery m signing algorithm m ( ) yes/no verification algorithm forgery sk (private key) 15 pk (public key) Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Signatures - Requirements 1. 2. Authenticity – guarantees the document signed by… Non-repudiation – normally only possible with public-key signatures. – 3. Unless if we assume that we dispose of a tamper-resistant hardware (e. g. a smart card) the non-repudiation can be achieved with a MAC based on AES ! Public verify-ability - normally only possible with public-key signatures. – Unless there is a trusted third party (e. g. independent and trusted authority, an electronic notary service), then public verify-ability will be achieved with a MAC based on AES ! CONCLUSION; secret key signatures can work in practice… but are fundamentally either less secure or less practical (what if the notary stops responding, the smart card destroys itself because it thinks it is being attacked etc. . ). 16 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Digital Signatures: Top of the Top: • The strongest known form of Message Authentication: – Integrity, and more: – Authenticity, and more: – Public Verifiability ( secret key signatures, MACs), and more: – Non-repudiation: I’m the only person that can sign… 17 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 *Digital Signatures vs. Authentication • Strongest known form of Message Authentication. • Allows also authentication of a token/device/person (e. g. EMV DDA, US Passport): – challenge –response (just sign the challenge) • The reverse does not hold: – Not always possible to transform authentication into signature. More costly in general ! Sym. encryption << P. K. authentication < signature 18 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Part 3 Cryptographic Hashing 19 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Hash Functions 20 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 What do We Sign ? The Problem: Public key crypto is very slow. Sign a long message with RSA, impossible, even on a 40 GHz CPU ! ÞUse hash function. ÞSign a short « digest » of the message. 21 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Hashing In computer science we have: - hashing (weak), not security just some mixing and chopping… - must be very fast. - Example: hash tables, such as hash_set<> in C++ STL. - cryptographic hashing (strong), - nobody should ever find any weakness in it - should be very fast, but NOT at the expense of security ! 22 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 [Cryptographic] Hash Function: m A hash function (or hash algorithm) is a reproducible method of turning data (usually a message or a file) into a number suitable to be handled by a computer. These functions provide a way of creating a small digital "fingerprint" from any kind of data. The function chops and mixes (i. e. , substitutes or transposes) the data to create the fingerprint, often called a hash value. The hash value is commonly represented as a short string of random-looking letters and numbers (Binary data written in hexadecimal notation). 0 - bits 23 Nicolas T. Courtois, January 2009 H(m) H A 94 A 8 FE 5 CCB 19 BA 6 1 C 4 C 0873 D 391 E 987 982 FBBD 3 >=160 bits

Comp. Sec COMPGA 01 Hash-then-Sign m A hash function (or hash algorithm) is a reproducible method of turning data (usually a message or a file) into a number suitable to be handled by a computer. These functions provide a way of creating a small digital "fingerprint" from any kind of data. The function chops and mixes (i. e. , substitutes or transposes) the data to create the fingerprint, often called a hash value. The hash value is commonly represented as a short string of random-looking letters and numbers (Binary data written in hexadecimal notation). 0 - bits 24 Nicolas T. Courtois, January 2009 H(m) H Digital Signature e. g. RSAPSS >=160 bits 098 f 6 bcd 46 21 d 373 cade 4 e 832627 b 4 >=80 bits

Comp. Sec COMPGA 01 Hash Functions = MDC 25 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 • • 26 Requirements public function, no secret keys or parameters. arbitrary (or very long) length -> fixed length easy/fast to compute hard to: Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Requirements OWF 27 SPR Nicolas T. Courtois, January 2009 CR

Comp. Sec COMPGA 01 Cryptographic Hash Functions Hash functions – typical requirements: • OWHF = One-Way Hash Functions. Strict Minimum – OWF – SPR • CRHF = Collision-Resistant Hash Functions. A Lot / 2 little ? – OWF – CR – already hard to achieve… • Many people demand even much more of hash functions: – – – 28 OWF SPR CR– already hard to achieve… PRF – very strong requirement. very fast, standardized, with partial security proofs etc. Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 One-Way Functions (OWF) x ? x, such that x = f-1(y) easy y = f(x) 29 hard y Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Preimage Resistance == OWF = Preimage Resistant: Let y be chosen at random. “Hard” to find x s. t. H(x)=y. Hard=? - Concrete security: Let y be on n bits. • It should take time about 2 n. • Remark: If it takes 2 n/3 it is a OWF in asymptotic sense, yet very insecure in practice ! Note: OW seems quite easy to achieve. 30 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Another Important Requirement SPR – Second Preimage Resistant. Note: Seems very feasible to achieve. Hard=? - Concrete security: • It should take time about 2 n. • Knowing one x can helps to reduce the difficulty if there is a weakness somewhere… • For a well designed function, to know one x doesn’t seem to help a lot… 31 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Passwords 32 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 The Key Idea Prover sends a password to a Verifier. The channel is assumed private. • Integrity? – The channel doesn’t really have to be authenticated or noise-free… • this will affect usability and availability, but not the security 33 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Areas of Study Care is needed when: • Choosing the password – (and the technology: e. g. visual passwords) • Storing the password on each side – cryptography – software / hardware security • Using/typing the password: – *** vs shoulder surfing • Transmitting the password – (encrypted in some way? ) neither necessary nor sufficient… • Destroying the password (why not) 34 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Attacks Taxonomy • • Guessing Snooping / shoulder surfing Eavesdropping / sniffing Spoofing (fake login page) Impersonation = masquerading = illegitimate access with correct credentials 35 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 How to Measure Password Strength 36 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Threat Models for Password Inherent Strength If Interception => Replay attacks. Security is lost. Without interception: • Online guessing, pass or fail. • Offline password cracking. Target: • against one user • many users, target one: can be easier! • target many users 37 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Measures of Strength • Choosing the password – Entropy, • single user’s password, how hard is it to guess it? A: 23. 4 attempts. – Min-entropy = -log 2(P most frequent password): • the weakest == the most frequent password, • important in attacks against multiple users – Conditional entropy: • similar as old password, • same as another password, • correlated with memorable places dates names etc 38 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Revision About Entropy 39 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 A Random Variable By definition, a [real-valued] random variable X, is an application X: IR. For each realisation of the experiment, X takes some value. Each random variable has a probability distribution. Assume that a source X outputs one of the values x 1. . xm. Then the probability distribution of X is defined by the pi =def= Pr[X= xi]. 40 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Entropy of a Source Again let X be a random variable (with a finite or infinite number of possible outcomes xi). The entropy of X [Shannon] is: H(X) =def= - x Pr[X=x] log 2 Pr[X=x] It depends on the probability distribution and : H(X) = - i pi log 2 pi 41 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 *Properties of the Entropy Joint source: • H(X, Y) >= H(X) with equality if and only if Y can be written as f(X). (The joint entropy is bigger than of one source, except if the second source is fully dependent on the first, then Y does not bring any additional uncertainty. ) • H(X, Y) <= H(X) + H(Y) with equality if and only if X and Y are independent. (When the variables are independent, the uncertainties add up. If not, the uncertainty will be less than the sum of the two. ) 42 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Properties of the Entropy Very important Theorem: • If there are n possible values xi with Pr[X=xi]>0, then H(X) <= log 2 (n) with equality if and only if the distribution is uniform. (Biased sources yield less information ! (e. g. advertisements on TV). Not much uncertainty in what they will say. ) 43 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Corollary: Theorem 12 -1 in Bishop The average expected time to guess a password [for one fixed user] is maximised when all the possible passwords are equiprobable. Proof: from last page: H(X) <= log 2 (n) with equality if and only if the distribution is uniform 44 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Conditional Entropy The same, but the universe “shrinks”. The entropy of X knowing Y H(X | Y) It measures the amount of uncertainty remaining about X when Y has been observed and is known. 45 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Conditional Entropy - Formulas The entropy of X knowing Y (also called equivocation of Y about X): H(X | Y) = y p(y) * H(X | Y=y) = - x Pr[X=x | Y] log 2 Pr[X=x | Y] = - xy p(x, y) * log 2 p(x|y) = - xy p(x|y)*p(y) * log 2 p(x|y) Measures the amount of uncertainty remaining about X when Y has been observed and is known. 46 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 *Conditional Entropy - Properties • H(X | Y) >= 0 and H(X | X) = 0. (There is no uncertainty left about X when we know X. ) • H(X | Y) = H(X, Y) – H(Y) (The conditional entropy is equal to joint entropy where we remove the entropy of Y, because we know Y. ) • H(X | Y) <= H(X) with equality if and only if X and Y are independent. (The entropy of X can only decrease when we know Y. If it doesn’t, means that X does not depend at all on Y. ) 47 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Mutual Information • I(X, Y) =def= H(X | Y)-H(X)=H(X, Y)-H(X) (how much information is common, symmetric value) 48 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Management 49 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Bad Users fail to manage passwords properly. And in various ways. including highly comical ones. 50 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Bad User? Users have the right to be bad. 51 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Rules UCL and many other organizations: 1. Limit the size of passwords. 8 characters max. – Why? No reason. • • • 2. A the same time they make them impossible to remember – 3. so that users would not write them down? They must do it as well now. User’s would not forget them? They do anyway. 8 characters are still crackable by brute force. (must use numbers, &”=+- etc – forcing this can lead to lower entropy if password is short. . ). capital letters: do confuse our memory, and visual memory not used because of * Frequent change every few months. Does it make sense? – – Yes, if we assume that people do sometimes share a password with a colleague (they do, more frequent that any real attack). Makes it even harder to manage, and remember, helpdesk workload. These choices are not exact science, they are a matter of opinion. Or ideology. Or misplaced priorities. Who’s fault it is? Ours, in almost every security 52 related university module we taught the IT people that the password must be strong. Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Chosen? System-Generated? 99% of systems including most banks allow people to chose their passwords. This makes them much less secure. • • • 53 lower entropy in general even for security-aware users, humans are just TOTALLY UNABLE to generate really random numbers, entropy is just lower! PIN=1234 is usually banned but can make it 7777… Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Recall: Theorem 12 -1 in Bishop The average expected time to guess a password [for one fixed user] is maximised when all the possible passwords are equiprobable. Proof: H(X) <= log 2 (n) with equality if and only if the distribution is uniform 54 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Random and Uniform The most secure policy is random + uniform • must be system-generated then, – • very few people can do random and uniform incidentally, it is random uniform, it is WRONG to ban PIN=1234 or Password=Alice 1234 – Some people in the UK should have bank card PIN 1234. • Otherwise it is easier to guess PINs for other people, – 55 lower entropy, see previous Thm! Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 System-Generated! The most secure policy is system-generated and truly random. • Only then it can be relatively short (say 8 -12 characters). • Excellent protection against reuse. • But not perfect, this password can be reused in another system that does allow to chose passwords, – • checking for similarity with previous passwords is actually ineffective – 56 now if every system generates passwords itself, reuse is impossible. what? yes, system cannot check with other systems (password reuse) Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 *Yet Another Method Against Reuse… Suggested by Yvo Desmedt, privately in 2010. • Can be added to most password policies. • Always publish an UNSALTED hash of your password. – Drawback: massive offline cracking will find ALL weak passwords. So works only IF passwords are BOTH • • 57 unique and very strong. Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Specific Controls Most people implement most of these nowadays: • Compare to last 5 passwords • how to cheat: change password 5 times today to erase the history – • check if the password is not in a dictionary – prevents dictionary attack? • not a more general one, – – – • a dictionary attack looking for word 78 will still work. no need to store the whole dictionary of English either, some words have such a low frequency and are known by such a small circle of people… a modern “dictionary attack” need to contain a knowledge about the probability distribution of real-life passwords, » able to sample this distribution in the order of decreasing frequency maximum validity time policy – but to avoid users bypassing that, • 58 conclusion: keep the whole history keep history of recent passwords? Problems, see later… Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Write Passwords Down? Recommended by Schneier recently [2008] Inevitable, people have 1000 s of passwords Better than reuse(!) Very practical. Defeating the purpose of 2 -factor authentication: • sth we know -> sth we have? • One can get the best of both worlds: – – write them in an “enigmatic” way, or write a half of it… A real solution, exists commercially but rarely used: use a hash function, store the input or get rid of passwords totally, • replace by a token/card + PIN 59 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Remove Asterisks? Recommended by Schneier even more recently [2009] Show the password on the screen… I strongly disagree with this recommendation. Again, one can have the best of both worlds. Example: on my Nokia phone: • shows each character for ½ second, then replace by a *. – nice compromise between security and usability. 60 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Dead or Alive? Schneier, already some 10 years ago… noticed that passwords are no longer secure OR no longer usable. – It is not even feasible to remember one really strong password. • Idea: just not enough entropy, – Assuming available data allows offline brute force attacks » a large intelligence agency will crack a great majority of passwords… But passwords are alive and kicking • still on the raise, new applications… • and attacks are arguably not a problem – because there are still so many easier attacks on systems anyway… 61 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Secondary Passwords Two problems: • Usually less secure, backdoor entry point – [cf. Schneier blog entry] • Legitimate users fail to pass. – Most these questions such as the “name of your first pet” do or “your fist car” do not have a unique answer, • problems with spelling, capital letters etc. 62 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Secondary Passwords Recommendations: • It can be a good idea give a false mother maiden’s name, – but then you must be able to remember what it was!!! (write it down). • Schneier recommends that people give totally random answers to these secondary passwords. – Yes but write them down and keep them. 63 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage OS Side, For Password Verification Purposes 64 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage and Verification How to store a password p ? Method 1: store p. VERY BAD ! Unnecessary point of failure. Not needed! Key concept: OWF. 65 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage and Verification Method 2: store h(p). Better but… Brute force attacks possible though h is a OWF. Guessing and checking the passwords. A OWF does protect strong passwords, but it reveals weak ones. 66 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage and Verification Method 2: store h(p). Problem: in a system with many users: – Example: in very old versions Unix /etc/passwd stored all hashes. – world readable – now for each single password tried, • each hash can be tried against all users – the attack time can be divided by as much as the number of users – h(p) for all users an be stored in a hash table, constant access time -- check for ALL users in O(1). – similarly, a dictionary attack will be facilitated too: • for a dictionary and in increasing frequency order, compute h(a) and check if in hash table. 67 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage and Verification Method 3: Key idea: use a different hash function for each user (!). – Example 1: store h(name, p). – Example 2: store h(salt, p), salt. • • • With salt being a random “Shadow ID” for this user. A modified DES-based variant is used in Unix… ***later /etc/shadow is used, readable only by its owner=root now cannot relate password from different users, removes the faster dictionary attack form the last slide Requirement: OWF. SPR not needed ! 68 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Salting – Method 3. 2. h(salt, p), salt. • with salt being a random and anonymous “Shadow ID” for this user. Requirements: • Should be different for each user. • Should be also different for the same user in another computer system. 69 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 So It Is Better To Have: Method 3. 3. : store h(name, machine ID, salt, password), salt. 70 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 3. 2. – The Most Popular Version Unix, Windows… 71 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Where is the File? Unix: /etc/shadow Windows: C: WindowsSystem 32configSAM Q: What’s wrong with this method? 72 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 How Bad Can This Get? [2012] In June 2012 a file containing over six million password hashes which allegedly originated from Linked. In was widely circulated over the Internet. • Hashes were NOT salted. • Later hackers found out lots of passwords using rainbow tables and dictionary attacks. – Many cracked passwords contained "linked" or even "linkedin" in the form, for example "lawrencelinkedin". – Even passwords such as "parikh 093760239", "a 06 v 1203 n 08" and "376417 miata? “ has already been cracked… – No one can feel secure… 73 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Windows Passwords Historically quite easy to crack… Example: In Windows XP: Two methods will work: 1. Boot the machine using Oph. Crack CD. It will break and show the passwords for all the accounts including admin. 2. Using a bootable live CD OS, replace the SAM file in C: WindowsSystem 32configSAM taken from another machine for which the Administrator password is known. • Now one can boot this system using the password from the other system. Better: use chntpw tool, Lab 4. Can change pwd, reset, disable, unlock, promote to admin. 74 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage and Verification Method 4: Use a key-dependent hash function (or a block cipher such as AES) and a tamper resistant module that will check passwords. Hardware Security Module (HSM) +may add an administrative password or key escrow system to prevent data loss 75 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 *Password Storage vs. Size/Entropy Assuming best machine-dependent salted hashes == Method 3. 3. Is say 60 bits password secure enough? Equiv. 12 characters like “_gme 1&ls&: ” Is there a “birthday paradox” attack in 230 ? ? ? 76 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 *Password Storage vs. Size/Entropy Assuming best machine-dependent salted hashes == Method 3. 3. Is say 60 bits password secure enough? Equiv. 12 characters like “_gme 1&ls&: ” No birthday paradox attack. 60 bits practically secure, but 80 bits is better. Nice trick: use a slower hash function to slow down the attacker. This allows to have more humanfriendly (shorter) passwords like 50 bits. 77 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Storage on Human User Side It becomes totally indispensable to keep a log (backup) of all passwords. Good practices: • divide in 2 -3 categories, – financial passwords either • complete passwords on paper only and in a safe • mnemonics/hint on paper only – keep passwords of less importance in an encrypted file, or on paper, or in a mobile phone directory – many phones allow to specify which directory entries are stored in a SIM card, » extra PIN protection if phone lost/stolen » but data can still be stolen in real time by a hacker/forensic tool 78 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 **Self-Defeating Security 79 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 ****UCL Rules UCL and many other organizations: 1. Limit the size of passwords. 8 characters max. – Why? No reason. • • • 2. A the same time they make them impossible to remember – 3. so that users would not write them down? They must do it as well now. User’s would not forget them? They do anyway. 8 characters are still crackable by brute force. (must use numbers, &”=+- etc). Frequent change every few months. Does it make sense? – – Yes, if we assume that people do sometimes share a password with a colleague (they do, more frequent that any real attack). Makes it even harder to manage, and remember, helpdesk workload. These choices are not exact science, they are a matter of opinion. Who’s fault it is? Ours, in almost every security-related university module we taught the IT people that the password must be strong. 80 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 **Maximum Validity + Not Too Similar An example of a self-defeating security policy that may, and will in many implementations make systems easier to hack. Maximum validity time policy: but to avoid users bypassing that and keeping the same one anyway, • keep history of recent passwords – can be implemented correctly with hash functions, • • check if not too similar to a previous password, – 81 just store all [salted] hashes does it mean that the system stores our old passwords in plaintext? Nope, there is a solution to that: the program that changes the password takes the old password as a parameter. Most of the time it does anyway. So we don’t need to store the old password in clear text… yet we can check it securely against the hash because we can recompute the hash from this parameter. Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 **Not Too Similar To Any Older? Last case: • check if not too similar to several older passwords? – Very hard to implement this correctly • – best implementation: • • • 82 so IT people that imposes this policy made our systems less secure, including at UCL store older passwords in cleartext and the current password hashed cf Method 3. 3, enforce system-generated passwords Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Human-Friendly Solutions 83 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Human Solutions • just use very long passwords, but in English, – easier to remember at same hardness level? • Visual Passwords, • Pass Faces, • etc Cf. People and Security, prof. Angela Sasse 84 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Cracking Passwords 85 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Password Crackers Most are based on the combination of • dictionaries – [able to sample in decreasing probability order] • time-memory-data tradeoffs, [Martin Hellman 1980] – usually implemented using rainbow tables [Philippe Oechslin 2003] 86 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Unix Passwords Example: John the Ripper software: • claims legitimate purpose, – detecting weak password by system admin • supports 11 versions of Unix • cracks – several DES-based versions – MD 5 -based – Blowfish-based [Open. BSD] 87 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Windows Passwords Historically quite easy to crack… Example: In Windows XP: Two methods will work: 1. Boot the machine using Oph. Crack CD. It will break and show the passwords for all the accounts including admin. 2. Using a bootable live CD OS, replace the SAM file in C: WindowsSystem 32configSAM taken from another machine for which the Administrator password is known. Now one can boot this system using the password from the other system. 88 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Ms Office Passwords Historically tools to break them could always be bought on the Internet… Shareware - 50 $… 89 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 ZIP and PGP passwords Distributed cracker running on many PCs, 5000 $… 90 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 PDF password crackers 25 -400 $ 91 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Defences 92 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Limited Disclosure Schemes Used by many banks, please type digits 1, 3, 4 and the last. 93 Nicolas T. Courtois, January 2009 * *

Comp. Sec COMPGA 01 Limited Disclosure Schemes Used by many banks, please type digits 1, 3, 4 and the last. * * There are non-trivial implementation choices: • Q 1: How many wrong attempts before system locked say for 1 day? • Q 2: How many wrong attempts before system locked forever? 94 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Q 3: Same Or Different Subset? Used by many banks, please type digits 1, 3, 4 and the last. * * • Next login (after success): use different subset • Next login (after failure): ask for THE SAME subset, better • resist better to shoulder surfing. – If the user is careless or has bad memory, repeated re-authentication increases the exposure – more data is leaking, and shoulder surfing can compromise the whole password instantly, this can be mitigated by time delays between attempts. • Attack: Spoofed login screen will claim it was wrong and ask for a different subset 3 times, enough to capture everything. 95 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Limited Disclosure Schemes How to store these passwords? Store individual characters? ? ? NOT GOOD, BRUTE FORCE each character at a time!!! No good solution, [very large storage would be needed]. Possible solution: hash some but not all subsets of 7 out of 24. Does not work well, entropy of each cases too low against brute force/dictionary… Advanced attacks: cf. FC’ 13. 96 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Defences Against Attack Attempts And against legitimate users that are very frequently are unable to log themselves… Main policies used in practice: • Disconnection: – just release the connection for now, no sanction • Disable the account after several unsuccessful trials – denial of service, can be used in your office but not on the Internet • Backoff: – add a delay at each attempt, • typically grows exponentially, but can be slow, e. g. (1. 1)n • Jailing: – if password is incorrect, give the user access to a fake system… • could be used more frequently but it is very hard to produce a false systems that looks genuine, so this usually just allows to follow a few first steps of the attack, seeing what he is up to or what he is primarily looking for 97 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Silent Alarm Password/PIN Defense against an attacker that forces us to reveal the password / PIN. A secondary password / PIN that is accepted but raises an alarm. A. k. a. “duress PIN”. Exists in RSA Secure. Id system. 98 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Passwords = Static Authentication 99 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Skimming Bank Cards 100 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Can We Do Better? 101 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Beyond Passwords In the real world, passwords are • low entropy, • yet impossible to remember, • shared, • reused Hackers do • guess / crack them • intercept/record and replay Can we defend against all these? • reset passwords frequently… check if strong • or move from static to dynamic schemes! 102 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Dynamic Authentication 103 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Dynamic vs. Static Authentication Dynamic as opposed to static. dynamic (authentication) systems: • One-Time Passwords (OTP), • • 104 – in any order, counter-based, frame number-based time based random challenge-based data+challenge based: better, data can be the same Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 One Time and Better… 105 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 One-Time Passwords (OTP) Key properties: • The password is changed each time • The attacker cannot know it in advance, – real-time MIM attacks remain possible • The fraudulent authentication attempts are detected 106 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Lamport OTP Scheme Based on OWF. Use hash chains. Go backwards. Let x 1=h(x), x 2=h(x 1), …, x 1000=h(x 999). Store x 1000 on the server. Small storage. Fast. Go backwards, reveal x 1000 at first attempt. Then reveal x 999 etc. Each xi allows to log-in only once. 107 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 One-Time Passwords in Banking A card with printed random numbers. Problem: can be photocopied… – and the user still has it, naively thinking it is secure… 108 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 One-Time Passwords? Time-synchronized OTP RSA Secure. ID etc. Wrong: This is NOT a OTP scheme. Though everybody calls it a OTP token… It is no longer a OTP, it is nearly a challenge-response system, kind of half way. Where challenge = time. • Except that the challenge is fixed for 30 -60 s. Window of opportunity: 30 s, second session possible connected from another location… 109 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 RSA Secure. ID is a 2 -factor System => 110 PC login… Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Proprietary Symmetric Algorithm (secret) 111 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Challenge-Response Protocols • Better, – the right answer to replay attacks. – essential and indispensable 112 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 C-R Authentication - History IFF: Identify Friend or Foe (1942) Challenge -Response problem: relay attacks 113 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 MIM Relay Attacks Mitigated by precise measure of timing. travel faster than speed of light travel in time. problem: relay attacks 114 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Nonces and Time Stamps 115 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Nonces nonce = a number used once, counter/sequence number » less secure in the sense of challenge-response random nonce = a random challenge = a random Warning: frequently, a random nonce will be called just nonce, but what is meant is a random nonce. 116 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Time vs. Nonce Time can replace a random nonce, can simplify protocols, • between very slightly and a lot less secure, • mainly depending on time granularity. Dynamic, half way between static authentication and challenge-response systems (the best). 117 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Timestamps in Computer Science A time stamp is a standard way of representing the time. Protocols use a standard representation. • ISO 8601 covers all these. • Examples: 2007 -11 -09 T 11: 20 UTC Sat Jul 23 02: 16: 57 2005 1234567890 Unix time: the number of seconds since 00: 00 UTC on January 1, 1970 UTC Unix time passed 1, 234, 567, 890 seconds on February 13, 2009 at exactly 23: 31: 30 Beware of the year 2038 bug… will become 0. 118 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Secure Time Stamps 119 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Timestamps in Cryptology A secure time stamp = Time Stamp Token = TST is a token that is [some requirements can be optional] 1. is unforgeable – can be expensive to insure, • • 2. will depend on your data/context • • 3. if you hash it together with a random number, data remains private the simplest case: this data will be the time itself alone cannot be created before a given time. – 4. example: contains the title of todays’ newspaper. cannot be created later either, – 120 CPU cost, timestamp length, PK infrastructure Q: can it be verified in real time? for example publish a hash of your timestamp in a newspaper… Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Practical Solutions Time Stamp Authority = TSA Time Stamp Token = TST 121 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 One Possible Scheme TSA Data Hash Requester Data Hash TST Data Hash Time Stamp Crypto Bind 122 TST Crypto Bind Nicolas T. Courtois, January 2009 Digital Data

Comp. Sec COMPGA 01 Verification Model Prover TST Relying Party Data Hash Digital Data Hash Time Stamp TST Nicolas T. Courtois, January 2009 Crypto Bind 123 Data Hash Time Stamp Crypto Bind

Comp. Sec COMPGA 01 Industrial Standards ANS X 9. 95 Trusted Time Stamp Based on existing standards: – – 124 IETF 3161 Internet X. 509 Public Key Infrastructure Time-Stamp Protocol (TSP) ISO 18014 Information Technology – Security Techniques – Time Stamping Services Provides management and security requirements, techniques and application process flows Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Time Stamps and Digital Signatures If a secure timestamp is included in data signed by the digital signature, it further increases the power of non-repudiation now to guarantee: • who • what • when 125 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Uni-directional Authentication 126 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Unilateral Authentication statement, [interactive] proof 127 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Unilateral Authentication Historically very popular. Examples: • password -> login – OK if we trust the browser + the DNS, • or a PK certificate-based secure tunnel is needed. • SIM card -> GSM base station (fixed in 3 G) • offline bank card transactions -> Point of Sale terminal Problems: • login page spoofing etc. • false GSM base stations, • false ATMs, 128 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Unilateral with Time/Counters 129 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Unilateral Authentication Let tc be indifferently: • current time • a secure (i. e. cryptographic) time stamp • a nonce in the sense of a counter • a sequence number Any other value that is sort of guaranteed never to repeat. 130 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 K A Unilateral with Time/Counter A, tc, MACK(tc, B) K B can also use a block or stream cipher, but always works as a MAC here Q 1: why the name of A is included? Q 2: why the name of B is included? 131 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 K A Unilateral with Time/Counter A, tc, MACK(tc, B) K B can also use a block or stream cipher, but always works as a MAC here Q 1: why the name of A is included? Q 2: why the name of B is included? Reflection attack: reuse when B authenticating to A concurrently without knowing the key. 132 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Unilateral with Time/Counters - PK Versions 133 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 SKA PKA A PK-Version with Digital Signatures A, tc, SSK(A)(tc, B) all differences boil down to radically different key management… 134 Nicolas T. Courtois, January 2009 PKA B

Comp. Sec COMPGA 01 SKA PKA Further PKI Version PKCert PKA A cert. A, tc, SSK(A)(tc, B) further changed the key management… 135 Nicolas T. Courtois, January 2009 B

Comp. Sec COMPGA 01 Unilateral with Random Nonces (better) 136 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 K A random. B A, MACK(random. B, B) can also use a block or stream cipher, but always works as a MAC here Q 1: why the name of A is included? Q 2: why the name of B is included? Reflection attack: reuse when B authenticating to A concurrently without knowing the key. 137 K Unilateral with a Random Nonce Nicolas T. Courtois, January 2009 B

Comp. Sec COMPGA 01 Unilateral with Random Nonces - PK Versions 138 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Public Key – Based Schemes Here more possibilities than with time. Two approaches exist. Alice has her private key SK(A). Two methods to demonstrate the knowledge of this key: • sign a message chosen by Bob. • decrypt a message encrypted by Bob with Alice’s public key. How? 139 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 SKA PKA A PK-Unilateral with PK Encryption h(r. B), B, EPK(A)(r. B, B) PKA B r. B Q 1: why we do have h(r. B) in the first message? A witness: prevents CCA. Q 2: why we do have B twice in the first message? 140 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 SKA PKA A PK-Unilateral with PK Encryption h(r. B), B, EPK(A)(r. B, B) PKA B r. B Q 1: why we do have h(r. B) in the first message? A witness: -CCA. Q 2: why we do have B twice in the first message? Vaguely compelling reasons: Guarantees good independence of different sessions. Bob’s identity is known and the person that produced the random is the only one that is able to know who B is. Alice checks if B=B before she replies. 141 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 SKA PKA Same with PKI PKA A cert. A h(r. B), B, EPK(A)(r. B, B) r. B 142 Nicolas T. Courtois, January 2009 PKCert B

Comp. Sec COMPGA 01 Public Key – Based Schemes Here more possibilities than with time. Two approaches exist. Alice has her private key SK(A). Two methods to demonstrate the knowledge of this key: • decrypt a message encrypted by Bob with Alice’s public key. • sign a message chosen by Bob. With PKI, second solution is more practical! (the first required one more message) 143 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 SKA PKA A PK-Unilateral with Dig. Sign. r. B PKA cert. A, r. A, SSK(A)(r. A, r. B, B) Q 1: why we don’t have A here? Unique key. Q 2: why we have added here r. A? 144 Nicolas T. Courtois, January 2009 PKCert B

Comp. Sec COMPGA 01 SKA PKA A PK-Unilateral with Dig. Sign. r. B PKA PKCert B cert. A, r. A, SSK(A)(r. A, r. B, B) Q 1: why we don’t have A here? Unique key. Q 2: why we have added here r. A? Again CMA, prevent signing messages entirely chosen by a potential attacker => not strictly needed if signature scheme is proven secure. . . + subtle reasons: allow audit/freshness even if Bob’s random numbers repeat. 145 Nicolas T. Courtois, January 2009

Comp. Sec COMPGA 01 Quiz • Can passwords be stored encrypted by a deterministic block cipher algorithm with a fixed key, encryption being implemented in hardware? – What if the storage is also implemented in a secure hardware? • • • Give two examples of self-defeating security recommendations regarding passwords. How to use a hash function to store a password? Does it require a OWHF or CRHF? In which case the entropy measures the strength of a password? What is min-entropy and in which case it measures the strength of a password? What is “spoofing” in the context of password security? – does “spoofing” require any “sniffing”? • • 146 What are three factors? Why writing the password down defeats a 2 -factor system without necessarily making it less secure? Solutions? Which one is better: random challenge-based or time-based authentication? Should user-chosen passwords be limited to 8 chars by system admin? What is a secure cryptographic timestamp? Nicolas T. Courtois, January 2009